Update docs and Makefile, add more logging

Author: mikejoh

Makefile

@@ -24,13 +24,13 @@ run:
 send:
 	@echo "Sending a request that includes a Pod container with allowed image name:"
 	@echo
-	curl -k -X POST -H "Content-Type: application/json" --data @files/admission_req_1.json https://localhost:4443/
+	curl -k -X POST -H "Content-Type: application/json" --data @files/image_review_1.json https://localhost:4443/
 	@echo
 	@echo
 
 	@echo "Sending a request that includes a Pod container with denied image name:"
 	@echo
-	curl -k -X POST -H "Content-Type: application/json" --data @files/admission_req_2.json https://localhost:4443/
+	curl -k -X POST -H "Content-Type: application/json" --data @files/image_review_2.json https://localhost:4443/
 	@echo
 
 docker-build:

README.md

@@ -42,3 +42,46 @@ curl --cacert ./certs/ca.crt https://localhost:4443
 
 ### Deploy in Kubernetes
 
+1. Deploy `imagine` using Helm, this deploys the latest released version of `imagine`:
+
+```bash
+make deploy
+```
+
+2. Generate the needed certificate to be used with `imagine`, this will be used by `imagine` as the server-side certificate of the webhook:
+
+```bash
+make k8s-gen-cert
+```
+
+3. Copy the following files to a specific directory on all control-plane nodes:
+
+```bash
+files/admissionconfig.yaml
+files/config.yaml
+```
+
+shall be copied to `/etc/kubernetes/imagine`, make sure you've created it first.
+
+4. Now change the `kube-apiserver` static Pod manifest (in `/etc/kubernetes/manifests`), you'll need to add the following configuration:
+
+* `ImagePolicyWebhook` to the `--enable-admission-plugins`flag
+* `--admission-control-config-file=/etc/kubernetes/imagine/admissionconfig.yaml`
+
+and:
+
+```bash
+...
+spec:
+  containers:
+  - volumeMounts:
+    - mountPath: /etc/kubernetes/imagine
+      name: imagine
+      readOnly: true
+...
+  volumes:
+  - hostPath:
+      path: /etc/kubernetes/imagine
+      type: DirectoryOrCreate
+    name: imagine
+```

files/admission_req_1.json

@@ -0,0 +1,18 @@
+{
+  "kind": "ImageReview",
+  "apiVersion": "imagepolicy.k8s.io/v1alpha1",
+  "metadata": {
+    "creationTimestamp": null
+  },
+  "spec": {
+    "containers": [
+      {
+        "image": "nginx"
+      }
+    ],
+    "namespace": "default"
+  },
+  "status": {
+    "allowed": false
+  }
+}

files/admission_req_2.json

@@ -0,0 +1,18 @@
+{
+  "kind": "ImageReview",
+  "apiVersion": "imagepolicy.k8s.io/v1alpha1",
+  "metadata": {
+    "creationTimestamp": null
+  },
+  "spec": {
+    "containers": [
+      {
+        "image": "nope"
+      }
+    ],
+    "namespace": "default"
+  },
+  "status": {
+    "allowed": false
+  }
+}

files/image_review_1.json

@@ -23,10 +23,9 @@ type imagineOpts struct {
 func main() {
 	opts := imagineOpts{}
 
-	// Parse command line arguments
 	flag.StringVar(&opts.key, "key", "", "Path to the key file")
 	flag.StringVar(&opts.cert, "cert", "", "Path to the cert file")
-	flag.StringVar(&opts.imageName, "image-name", "", "Part of the image name used when validating")
+	flag.StringVar(&opts.imageName, "image-name", "", "Part of the image name that is not allowed")
 	flag.IntVar(&opts.port, "port", 4443, "Port to listen on")
 	flag.Parse()
 
@@ -89,14 +88,18 @@ func imagineHandler(imageName string) http.HandlerFunc {
 		}
 
 		var allowed bool
+		reason := fmt.Sprintf("image name contains disallowed string: %s", imageName)
+
 		for _, container := range imageReview.Spec.Containers {
-			if strings.Contains(container.Image, imageName) {
+			if !strings.Contains(container.Image, imageName) {
 				allowed = true
+				reason = ""
 				break
 			}
 		}
 
 		imageReview.Status.Allowed = allowed
+		imageReview.Status.Reason = reason
 
 		responseBytes, err := json.Marshal(imageReview)
 		if err != nil {
@@ -110,5 +113,7 @@ func imagineHandler(imageName string) http.HandlerFunc {
 		if _, err := w.Write(responseBytes); err != nil {
 			log.Printf("Failed to write response: %v", err)
 		}
+
+		log.Printf("Image: %s, Allowed: %t, Reason: %s", imageReview.Spec.Containers[0].Image, imageReview.Status.Allowed, imageReview.Status.Reason)
 	}
 }